Jump to content


Photo

Problem is IMSPY


  • Please log in to reply
7 replies to this topic

#1 TBatt

TBatt

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 June 2004 - 11:42 AM

Hello ...

I have a popup called IMSPY that wants me to register, etc. I did not invite this SW onto my computer. I have used CWShredder, SpyBot-S&D, Adaware, and Spysweeper. None of them find the problem SW.

Can anyone help with this?

Thank you in advanced,

TBatt

#2 angoid

angoid

    Cyberdefenestrator

  • Developer
  • PipPipPipPip
  • 335 posts

Posted 02 June 2004 - 11:56 AM

Hi TBatt,

Can you download HijackThis please? There's a link in my signature.

Create a new folder and place the program into it. Run it, and click on Scan. When the scan has completed (only a few secondsat worst), the Scan button will change to Save Log. Click that, save the logfile, and a Notepad session will open up. Copy and paste the entire contents into this thread, and we'll analyse it for you.

Please don't, whatever you do, have it fix anything at this stage as much of what it lists is either harmless or essential to the running of your system.

Edited by angoid, 02 June 2004 - 11:58 AM.

If you don't know what eschatology is then don't worry; it's not the end of the world.

#3 TBatt

TBatt

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 June 2004 - 02:10 PM

Hello Angoid ...

Thank you for the response. Here is the log file as you requested.

TBatt


Logfile of HijackThis v1.97.7
Scan saved at 2:09:21 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\spywarebegone\SpywareBeGone.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\winbas12.exe
C:\Program Files\imspy.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\INSTAN~1\Presario\XPPNARS3EN\plugin\bin\pchbutton.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\POPUPB~1\PopupBeGone.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\POPUPB~1\IEHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: (no name) - {F2BE9B16-EE6B-6E0C-024B-D8A6C6FA1551} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [ImSpy] C:\Program Files\imspy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\INSTAN~1\Presario\XPPNARS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [AllTracksGone] C:\Program Files\AllTracksGone\alltracksgone.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...stx/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#4 nemmisa

nemmisa

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 02 June 2004 - 05:48 PM

hi i had this same problem myself to day if you have got spybot s&d open it in advanced mode then go to tools on the page make sure system start up is ticked, it will appear in side panel click this then in the enties listed remove ticks from winbas12.exe and imspy.exe the reboot you can the delete winbas12.exe and imspy from c program files hope this helps

#5 TBatt

TBatt

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 03 June 2004 - 09:04 AM

Thank you, I will give this a try and see how it goes.

TBatt

#6 TBatt

TBatt

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 03 June 2004 - 12:26 PM

Thank you Nemmisa...

So far, this seems to have worked. I could not find the programs listed in the program list, so I couldn't remove them, but I unchecked the boxes in Spybot S&D and so far IMSPY has not re-shown its ugly head.

I appreciate the help,

TBatt

#7 nemmisa

nemmisa

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 03 June 2004 - 02:07 PM

hi Tbatt glad that helped if you double click on my computer then c drive then open program files you should be able to delete imspy.exe and winbas12.exe as they are no longer running this is what i did yesterday

#8 angoid

angoid

    Cyberdefenestrator

  • Developer
  • PipPipPipPip
  • 335 posts

Posted 07 June 2004 - 04:45 PM

Hi Tbatt, and sorry for the huge delay in getting back to you :weep:

Can you close all applications, leaving only HijackThis running, and place a check against the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O3 - Toolbar: (no name) - {F2BE9B16-EE6B-6E0C-024B-D8A6C6FA1551} - (no file)
O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [ImSpy] C:\Program Files\imspy.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...stx/install.cab


Uninstall SpywareBeGone using Add/Remove programs if it exists. If it doesn't then you'll need to fix this line also:
O4 - HKLM\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan

Disable, or uninstall SpySweeper, as it's known to cause problems. It's identified by this line in your log:
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

Do you use peer-to-peer file sharing? If not, fix these lines also:
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Click on Fix Checked, and exit HijackThis. Reboot your system and post a fresh log, and we'll take another look.
If you don't know what eschatology is then don't worry; it's not the end of the world.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button